I got a worrying email last night from a friend and ex-colleague, letting me know that he’d had a phishing message purportedly from my Last.FM account.
Oops, we both thought – I’d been hacked. I went in and changed my password.
I subsequently discovered an email to me ‘from’ another colleague that also looks very much like a phishing attempt. Interestingly, this email refers to a new Shoutbox message that doesn’t appear in my Shoutbox on the site itself.
It’s quite possible I was phished or that someone guessed my rather weak password, but the fact that there’s no message on the site when the email says there is suggests that something more sinister may be afoot – if the email isn’t from Last.FM, how would the phishers know my email address, which isn’t published on my profile page?
And although they could easily use my profile to find the people I know, these things don’t tend to rely on someone actually sat at a computer spending time on stuff like that – they’re normally automated.
So what’s going on here? Has somebody got hold of Last’s email database yet they’re unable to read the passwords? Was I phished? Or is there simply an easy way of finding someone’s email address from their Last profile?
OK, I had to write this in a hurry and have now had time to take a better look. It is a straightforward case of my account being hacked or me having been phished. Working on a couple of theories…